edit-icon download-icon

[Vulnerability notice] CVE-2017-5638: Remote code execution vulnerability in Struts based on Jakarta plugin (S2-045)

Last Updated: Apr 08, 2018

On March 6, 2017, Apache Struts 2 was revealed to have a remote command execution vulnerability. The vulnerability number is S2-045, and the CVE number is CVE-2017-5638. Remote command execution may exist when files are uploaded by Jakarta plugin, allowing a hacker to intrude into the system.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-5638

Vulnerability name

Struts remote code execution vulnerability based on Jakarta plugin

Vulnerability rating

High

Vulnerability description

If the exception handling function of the upload feature fails to correctly handle the error information entered by users, a remote attacker can modify the Content-Type value in the HTTP request header to construct and send malicious packets and run arbitrary system commands on the affected server.

Condition and method of exploitation

The vulnerability allows a hacker to run code by using Jakarta plugin.

Affected scope

  • Struts 2.3.5 - 2.3.31
  • Struts 2.5 - 2.5.10

How to fix or mitigate

  • By default, Struts 2 uses Jakarta’s Common-FileUpload file upload parser, which has a vulnerability. The default configuration is struts.multipart.parser=jakarta. To avoid the vulnerability, use other types of parsers such as the COS file upload parser (struts.multipart.parser=cos) or the Pell file upload parser.

  • We recommend that you upgrade Struts to Struts 2.3.32 or Struts 2.5.10.1.

    Note: Back up snapshots before the upgrade.

  • Use Alibaba Cloud Security WAF for defense.

Reference

[1]. https://cwiki.apache.org/confluence/display/WW/S2-045?from=groupmessage&isappinstalled=0

Thank you! We've received your feedback.